Schadenfreude
03/17/2023, 4:50 PMspicedb-operator
, how do I specify the client cert that must be used to connect to my postgres datastore? I've added the cert as a TLS secret in Kubernetes, set the datastoreTLSSecretName
to the name of the secret in the CRD, and set sslmode=require
as a parameter in the datastore_uri
but when I apply the CRD, I get errors like
unable to create migration driver for postgres: failed to connect to `host=a.b.c.d user=*** database=***`: server error (FATAL: connection requires a valid client certificate (SQLSTATE 28000))
from the operator's migration job and
2023-03-17 16:41:12.855 UTC [73658]: [1-1] db=***,user=*** FATAL: connection requires a valid client certificate
from postgres. So it seems like there is no cert being presented. Am I missing something? It works fine if I disable SSL on the db and set sslmode=never
in the datastore_uri
.vroldanbet
03/17/2023, 4:51 PMSchadenfreude
03/17/2023, 5:01 PMapiVersion: v1
kind: Namespace
metadata:
labels:
kubernetes.io/metadata.name: spicedb
name: spicedb
---
apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
metadata:
name: test
namespace: spicedb
spec:
config:
channel: stable
logLevel: debug
datastoreEngine: postgres
datastoreTLSSecretName: spicedb-datastore-tls
replicas: 1
secretName: test-spicedb-config
---
apiVersion: v1
kind: Secret
metadata:
name: test-spicedb-config
namespace: spicedb
stringData:
datastore_uri: "postgresql://[username]:[password]@[a.b.c.d]:5432/[dbname]?sslmode=require"
preshared_key: "[redacted]"
---
apiVersion: v1
kind: Secret
metadata:
name: spicedb-datastore-tls
namespace: spicedb
type: kubernetes.io/tls
data:
tls.crt: [redacted]
tls.key: [redacted]
datastore_uri
must specify the path to the cert and key. With some digging around, I figured out where the datastoreTLSSecretName is mounted. The following URI succeeds: datastore_uri: "postgresql://[username]:[password]@[a.b.c.d]:5432/[dbname]?sslmode=require&sslcert=/spicedb-db-tls/tls.crt&sslkey=/spicedb-db-tls/tls.key"
Are these volume mount points guaranteed never to change?ecordell
03/18/2023, 12:55 PMpatches
if you want right now).
I filed https://github.com/authzed/spicedb-operator/issues/170 so we don't forget to clarify thispatches
field (see https://github.com/authzed/spicedb-operator/releases/tag/v1.2.0 for docs), but I don't think we've seen anyone do that in the wild. If you end up figuring out how to connect through an auth proxy sidecar, we'd love to hear about it (and get it preserved in docs so others can use it)